The Rise of State Consumer Protection Act Cyber Cases

Plaintiffs in data breach cases have tried many theories of recovery, including negligence, negligence per se, violations of state data protection statutes, violations of the Fair Credit Reporting Act, breach of fiduciary duty, and violations of the constitutional right to privacy, with mixed results.

Courts have rejected many of these claims, but plaintiffs and regulators are increasingly having success with allegations of unfair business practices. At the federal level, the Federal Trade Commission (“FTC”) has obtained settlements in some of the largest breach settlements using this approach, including a $1.6 million settlement with Ashley Madison. We are now seeing a rise in state-law consumer protection cyber cases which are attractive to plaintiffs because these laws exist in every state and are interpreted liberally by courts.

The Massachusetts Attorney General filed a complaint against Equifax in September alleging violations of the Consumer Protection Act (“CPA”) for Massachusetts, and numerous individuals and entities nationwide are also bringing CPA claims against Equifax in other actions. For instance, Montana residents and consumers have filed a class action claiming that Equifax violated Montana’s CPA and engaged in unfair or deceptive practices when it continued to accept credit card information before it purged its systems of the hackers’ malware. Plaintiffs in an ongoing suit against Yahoo! alleged, among other things, violations of California’s CPA. The class action brought by banks against Target, which settled for $39 million, alleged violations of multiple states’ CPAs. The Home Depot data breach settlement also included claims for violation of eight CPAs.

Earlier this year, an action was brought by a purported class of financial institutions against Eddie Bauer in the wake of a 2016 data breach that is alleged to have compromised credit and debit card information at approximately 350 Eddie Bauer stores. Recently, the court in that case dismissed the plaintiffs’ common law negligence claim (finding no legal duty), but allowed the unfair and deceptive business practices claim to proceed. Washington’s CPA provides that “unfair or deceptive acts or practices in the conduct of any trade or commerce are . . . unlawful,” and similar language is found in most other state CPAs.The court in Eddie Bauer found that the alleged failure to take proper measures to protect credit card information could constitute an unfair act under the statute. Eddie Bauer had argued that the CPA claims should not proceed because the harm was caused by a criminal third party, but the court rejected that argument and applied a but-for proximate causation standard. The survival of these unfair business practices claims means that we are likely to see more state law CPA cyber cases in the future, and we will be sure to provide updates on interesting developments in this area.

Mr. Gesser is a partner in Davis Polk’s Litigation Department. He represents clients in a wide range of cybersecurity issues, including compliance with various cybersecurity regulations, cybersecurity governance issues, cloud migration, data minimization, and cybersecurity risk disclosures. Mr. Gesser also counsels companies who have experienced cyber events by coordinating with experts to conduct investigations; communicating with regulators, law enforcement, insurers and auditors; assessing various federal, state and international regulatory disclosure obligations; and representing the companies in related civil litigation and regulatory investigations. He previously served as the Counsel to the Chief of the Justice Department, Criminal Division’s Fraud Section and as the Deputy Director of the Justice Department, Criminal Division’s Deepwater Horizon Task Force. In addition to his full-time practice, Mr. Gesser is a frequent writer and commentator on cybersecurity issues. [Full Bio]

Attorney Advertising. Prior results do not guarantee a similar outcome.

Disclaimer

dpwcyberblog.com is a collection of informational products provided by Davis Polk & Wardwell LLP. In its capacity as provider of dpwcyberblog.com and its component parts, Davis Polk is acting as an information provider.

dpwcyberblog.com and its component parts do not constitute, and are not intended to constitute, legal advice with respect to any particular circumstance, do not create an attorney-client relationship with Davis Polk & Wardwell LLP or any of its associated entities and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. Davis Polk & Wardwell LLP shall not be liable for any loss that may arise from any reliance on dpwcyberblog.com or its component parts. If you have any comments or questions, please contact cyberblog@davispolk.com